6

I understand that I can reboot, enter the UEFI firmware (formerly BIOS) settings and look for options enabling UEFI boot and forcing secure boot. However, given an already booted system (e.g., a server I do not wish to reboot), how would I tell if Ubuntu has booted securely?

I am aware of another question asking about EFI boot, which I found useful. I have also read the article about how Ubuntu implements UEFI secure boot (suprisingly, with the assistance of Microsoft). However, these sources have not answered my question. I understand that if the system attempts to secure boot, but fails, that it will restart. How can I tell what the shim and subsequent boot loaders have done to verify the boot loader chain, including the Linux kernel?

For extra credit, is there a way to see which certificate authorities (e.g., Microsoft and Canonical) that were used to authenticate the boot loaders?

Thanks!

rlhelinski
  • 128
  • 1
  • 7

1 Answers1

4

In order to query Secure boot status you may run:

mokutil --sb-state

Source: http://manpages.ubuntu.com/manpages/impish/man1/mokutil.1.html

For extra credit, is there a way to see which certificate authorities (e.g., Microsoft and Canonical) that were used to authenticate the boot loaders?

This is answered in the link you included in the question. Quoting:

amd64: A shim binary signed by Microsoft and grub binary signed by Canonical are provided in the Ubuntu main archive as shim-signed or grub-efi-amd64-signed.

ChanganAuto
  • 1,670
  • 8
  • 14
  • 21
  • Regarding the shim binary signed by Microsoft and the grub binary signed by Canonical, that only applies to the case where the computer is shipped with keys in the firmware for Microsoft. It is possible for the user to load there own keys as described in the section, "MOK generation and signing process". Therefore, a user may want to query mokutil or similar for the specific key signatures that were used for the shim and the grub binary. – rlhelinski Sep 01 '21 at 18:35
  • It looks like this information, at least for the grub binary, is listed in the output of mokutil --list-enrolled. – rlhelinski Sep 02 '21 at 04:37